How to tell if a digital signature is trustworthy

Digital signatures play a central role in software security. This article explains what a digital signature is, and how you can check to make sure that a digital signature is trustworthy.

Cool things you can do with Office 2010

The Office Blog

In this article


What is a digital signature?

A digital signature is used to authenticate (authenticate: The process of verifying that people and products are who and what they claim to be. For example, confirming the source and integrity of a software publisher's code by verifying the digital signature used to sign the code.) digital information — such as documents, e-mail messages, and macros — by using computer cryptography. Digital signatures help to establish the following assurances:

  • Authenticity     The digital signature helps to assure that the signer is who they claim to be.
  • Integrity     The digital signature helps to assure that the content has not been changed or tampered with since it was digitally signed.
  • Non-repudiation     The digital signature helps to prove to all parties the origin of the signed content. "Repudiation" refers to the act of a signer's denying any association with the signed content.

To make these assurances, the content must be digitally signed by the content creator, using a signature that satisfies the following criteria:

The 2007 Microsoft Office system programs detect these criteria for you, and alert you if there is a problem with the digital signature. For details, see the last section in this article, How to tell if a digital signature is trustworthy.

Top of Page Top of Page

View a digital signature in a signed document

Which program are you using?


Excel

When you review any signed content, you should look at the attached signature details and the certificate used to create that signature to find out whether there are any potential problems.

  1. With the document open, click the Microsoft Office ButtonButton image, and then click Prepare.
  2. Click View Signatures.

 Tip   You can also click the signatures button at the bottom of your screen.

Signatures button

  1. In the Signatures pane, click the signature that you want to view, click the arrow next to the signature name, and then click Signature Details.

Signatures details

  1. In the Signature Details dialog box, click View.

Evaluating the digital signature is covered in the last section in this article, How to tell if a digital signature is trustworthy.

Top of Page Top of Page

PowerPoint

When you review any signed content, you should look at the attached signature details and the certificate used to create that signature to find out whether there are any potential problems.

  1. With the document open, click the Microsoft Office ButtonButton image, and then click Prepare.
  2. Click View Signatures.

 Tip   You can also click the signatures button at the bottom of your screen.

Signatures button

  1. In the Signatures pane, click the signature that you want to view, click the arrow next to the signature name, and then click Signature Details.

Signatures details

  1. In the Signature Details dialog box, click View.

Evaluating the digital signature is covered in the last section in this article, How to tell if a digital signature is trustworthy.

Top of Page Top of Page

Word

When you review any signed content, you should look at the attached signature details and the certificate used to create that signature to find out whether there are any potential problems.

  1. With the document open, click the Microsoft Office ButtonButton image, and then click Prepare.
  2. Click View Signatures.

 Tip   You can also click the signatures button at the bottom of your screen.

Signatures button

  1. In the Signatures pane, click the signature that you want to view, click the arrow next to the signature name, and then click Signature Details.

Signatures details

  1. In the Signature Details dialog box, click View.

Evaluating the digital signature is covered in the last section in this article, How to tell if a digital signature is trustworthy.

Top of Page Top of Page

View a digital signature in a signed e-mail message

  1. Open the digitally signed message.
  2. Look at the Signed By status line and note the e-mail address of the person who signed the message.

Signed By status line

 Important   It is not enough to check the e-mail address in the From line, because it is necessary to verify who actually signed the message, and not just who sent it. If the e-mail address in the From line does not match the e-mail address in the Signed By status line, the Signed by line is the one to use in identifying who actually sent the message.

Digital signature

  1. Check to see whether the signature is valid or invalid.
    • If the button on the Signed By status line appears similar to the following Signature button Button image, the signature is valid. For more information about the status of the signature, click the button.
    • If a red underline appears under the Signed By status line and if the button appears as an exclamation mark, the signature is invalid. For more information about the status of the signature, click the button.

Signed By

  1. To see more information about why there is a problem with the digital signature, such as the certificate being invalid, click Details.

Digital Signature Invalid

  1. In the next security dialog box that appears, click View Details to see information about the certificate used in the digital signature.

Top of Page Top of Page

View a digital signature for a signed macro

When you open a document that contains a signed macro project and there is a problem with the signature, the macro is disabled by default and the Message Bar appears to notify you of a potentially unsafe macro. However, this does not occur if you are opening the document from a trusted location.

Message Bar

If the macros have been signed, you can view the certificates for the files by doing the following:

  1. On the Message Bar, click Options.
  2. If the macros are signed, you see in the security dialog box a Signature area that looks similar to the following illustration.

Signature

  1. Click Show Signature Details.

Top of Page Top of Page

How to tell if a digital signature is trustworthy

This section describes what you should look for when you evaluate the trustworthiness of a digital signature.

The digital signature is OK

A valid digital signature is identified by a message at the top of the Digital Signature Details dialog box, confirming that the digital signature is OK. You should also note the timestamp details under Countersignatures. The timestamp details indicate that the certificate authority — in this example, VeriSign — has verified and approved the digital signature.

Digital Signature Details dialog box

The date for the time stamp — in this case, August 7, 2003 — should be within the Valid from date range in the certificate. To see the date range in the digital signature, click View Certificate.

Certificate dialog box

The publisher — in this case, Microsoft Corporation — should be a trusted publisher by default on computers running the Microsoft Windows operating system. Certificates for Microsoft are located in the Trusted Root Certification Authorities store. If the publisher is not trusted by default, you must explicitly trust the publisher. Otherwise, the content signed by that publisher does not pass the security software checks.

Checking for the red X

A digital signature that presents problems shows the image with a red X.

Digital Signature Details dialog box

The red X can appear for the following reasons:

What you should you do if there is a problem with a signature

When there is a problem with a digital signature, then depending upon your situation, you can do any of the following:

  • You can contact the source of the signed content, and let them know that there is a problem with the signature.
  • Contact the IT administrator in charge of your organization's security infrastructure.
  • If you feel that the macro or other active content associated with the document is trustworthy, you can save the document to a trusted location. Documents in trusted locations are allowed to run without being checked by the Trust Center security system. Using trusted locations is a better option than lowering your security level settings for all macros.
  • You can explicitly trust the publisher.

Top of Page Top of Page

 
 
Applies to:
Access 2007, Excel 2007, InfoPath 2007, OneNote 2007, PowerPoint 2007, Publisher 2007, Visio 2007, Word 2007